rules/cloud/azure/azure_change_to_authentication_method.yml

title: Change to Authentication Method
id: 4d78a000-ab52-4564-88a5-7ab5242b20c7
status: experimental
author: AlertIQ
date: 2021/10/10  
description: Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.
references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
logsource:
  product: azure
  service: auditlogs
detection:
  selection:
    LoggedByService: 'Authentication Methods'
    Category: 'UserManagement'
    OperationName: 'User registered security info'
  condition: selection
level: medium
falsepositives:
  - Unknown
tags:
  - attack.credential_access
Azure Security Operations for Priveleged Accounts 2021-10-10 16:06:28 +04:00			`title: Change to Authentication Method`
			`id: 4d78a000-ab52-4564-88a5-7ab5242b20c7`
			`status: experimental`
			`author: AlertIQ`
			`date: 2021/10/10`
			`description: Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.`
			`references:`
			`- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts`
			`logsource:`
$frack113$ Add azure product 2021-11-14 10:50:16 +01:00			`product: azure`
refactor: first bigger log source refactoring 2022-03-22 17:58:29 +01:00			`service: auditlogs`
Azure Security Operations for Priveleged Accounts 2021-10-10 16:06:28 +04:00			`detection:`
			`selection:`
			`LoggedByService: 'Authentication Methods'`
			`Category: 'UserManagement'`
			`OperationName: 'User registered security info'`
			`condition: selection`
			`level: medium`
Change the service to the form service: azure._a_name_ and add falsepositives field 2021-10-13 15:12:36 +04:00			`falsepositives:`
			`- Unknown`
Azure Security Operations for Priveleged Accounts 2021-10-10 16:06:28 +04:00			`tags:`
			`- attack.credential_access`